Backend Network Planning

Altai Super
Altai Super
WiFi
WiFi
Altai Certification
Training
Backend Network
Planning
Professional Services
Altai Technologies Limited
Not for Distribution Altai Confidential
Module Outline
Altai Super
Altai Super
WiFi
WiFi
Service Controller Solution

Layer 2 Network Deployment Scenario
Layer 3 Network Deployment Scenario
A3 ACS Solution
Altai Super
Service Controller SolutionAltai
Super
WiFi
WiFi
RADIUS or Active Directory in the existing

network as authentication server
Multiple SSID for different groups of client to
access; e.g. staff and guest
Each group of client is only allowed to access
specific network subnets
Different authentication method can be applied
to different SSID
3
www.altaitechnologies.com
Layer 2 Network Deployment

Altai Super
Altai Super
WiFi
Scenario
WiFi
Deployment scenario: Enterprise only one or
several buildings network based on layer 2
connection.
Solution 1: SC internet port behavior as
network backhaul, and LAN port connect to AP.
Solution 2: one of SC ports behavior as network
backhaul.
4
Layer 2 Network Design
Intranet for staff

Ingress VLAN 1
Egress VLAN 10
Client IP subnet
192.168.1.x
AD or RADIUS
Authentication
Allowed access
intranet and internet
Altai Super
Altai Super
WiFi
WiFi
Internet for guest

Ingress VLAN 2
Egress VLAN 10
Client IP subnet
192.168.2.x
SC Local account
HTML-Authentication
5
Altai Super
Layer 2 Network Solution IAltai
Super
WiFi
WiFi
DHCP
server
Intranet
Router
Firewall
Radius Server
VLAN 10
Active Directory
VLAN 20
Service Controller
Internet Port: VLAN 10 & 20
LAN Port: VLAN 1 & 2
Management Server
VLAN Switch
Altai AP
VLAN 1
VLAN 100
VLAN 1, 2, 100
Trunk Port
VLAN 2
Trunk Port
Trunk Port
VLAN 100
SSID_Intranet
SSID_Internet
Management SSID
192.168.1.x
192.168.2.x
192.168.100.x
VLAN 1
VLAN 2
VLAN 100
6
Altai Super
Layer 2 Network Solution II
Altai Super
WiFi
WiFi
DHCP
server
Intranet
Router
Firewall
VLAN 10
Radius Server
Active Directory
VLAN 20
Management Server
Egress: VLAN 10 & 20
VLAN 100
VLAN Switch
Service Controller
Network: VLAN 10,20
Ingress: VLAN 1 & 2
SC Port: VLAN 1, 2, 10, 20, 100

AP Port: VLAN 1,2, 100
Trunk Port
Trunk Port
Altai AP
VLAN 1
Trunk Port
VLAN 2
VLAN 100
SSID_Intranet
SSID_Internet
Management SSID
192.168.1.x
192.168.2.x
192.168.100.x
VLAN 1
VLAN 2
VLAN 100
7
Layer 2 Active Directory

authentication Procedure
User
User associate with
wireless network
AP
Service Controller
AD Server
Altai Super
Altai Super
WiFi
WiFi
DHCP server
EAPOL start
EAP Request/identity
EAP Response/identity
Redirect the request to

Service Controller
EAP Response/Identity
Over AD
EAP request
EAP response
EAP request over AD

EAP Response over AD
EAP success
EAP success over AD

and user configuration
DHCP request
Response DHCP request
Send IP address back
8
Layer 2 HTML authentication

Procedure
User
User associate with
wireless network
AP
Send DHCP request
Redirect the request

to DHCP server
Service Controller
Local account
Altai Super
Altai Super
WiFi
WiFi
DHCP server

User attempts to
browse an Web site

Service Controller
Request is intercepted
Login page is returned
User Login
User login info is

sent for authentication
Login approved.
User configuration
setting are returned
Transport page is sent
Transport page sends

request for session
and welcome page
Session and Welcome
pages are sent
9
Layer 3 Network Deployment

Altai Super
Altai Super
WiFi
Scenario
WiFi
Deployment scenario: University & enterprise
multiple buildings network based on layer 3
connection.
Solution 1: Two buildings connect to each other
based on layer 3 connection (Traffic forwarding
based on IP address). Since SC establish
communication with AP only by VLAN, each SC
should be deployment for every building in such
case.
Solution 2: Two building connect to each other
based on tunnel which support VLAN function.
In this case, only one Service Controller is
needed for the entire network.
10

Solution_I
Building 1
Intranet for staff
Ingress VLAN 1
Egress VLAN 10
Client IP subnet 192.168.1.x
AD or RADIUS
Authentication
Allowed access intranet and
internet
Internet for guest
Ingress VLAN 2
Egress VLAN 10
SC Local account
HTML-Authentication
Altai Super
Altai Super
WiFi
WiFi
Building 2
Intranet for staff
Ingress VLAN 3
Egress VLAN 10
AD or RADIUS
Authentication
Allowed access intranet and
internet
Internet for guest
Ingress VLAN 4
Egress VLAN 10
SC Local account
HTML-Authentication
11
Altai Super
Layer 3 Network Solution_IAltai
Super
WiFi
WiFi
DHCP
server
Intranet
Firewall
Radius Server
Router
VLAN 10 & 30
Active Directory
VLAN 20 & 40
Service Controller
Ingress: VLAN 1 & 2
VLAN Switch
Service Controller
Ingress: VLAN 3 & 4
Network: VLAN 10,20
Network: VLAN 30,40
SC Port: VLAN 1, 2, 10, 20
SC Port: VLAN 3, 4, 30, 40
AP Port: VLAN 1,2
AP Port: VLAN 3,4
Altai AP
Trunk Port
VLAN Switch
Trunk Port
Trunk Port
VLAN 1
Trunk Port
VLAN 2
Altai AP
VLAN 3
VLAN 4
SSID_Intranet
SSID_Internet
SSID_Intranet
SSID_Internet
192.168.1.x
192.168.2.x
192.168.3.x
192.168.4.x
VLAN 1
VLAN 2
VLAN 3
VLAN 4
12
Layer 3 Solution I Authentication

Altai Super
Altai Super
WiFi
Procedure
WiFi
User
User associate with
wireless network
AP
Service Controller
In Builing 1
AD Server
DHCP server
EAPOL start

Service Controller
Over AD
EAP request
EAP response
EAP request over AD

EAP success
EAP success over AD

DHCP request
Building 1 for example

13
Altai Super
Case study: ASTRI Deployment
Altai Super
WiFi
WiFi
Intranet
Firewall
Router
VLAN 10
Active Directory
VLAN 20
VLAN Switch
Service Controller
Network: VLAN 10,20
Ingress: VLAN 1 & 2
SC Port: VLAN 1, 2, 10, 20
DHCP server:192.168.0.x
AP Port: VLAN 1,2

Trunk Port
Trunk Port
Altai AP
VLAN 1
Trunk Port
VLAN 2
SSID_Intranet
SSID_Internet
192.168.0.x
192.168.0.x
VLAN 1
VLAN 2
AD authentication
HTML authentication
14
Wireless Network
SSID
Target
Clients
VLAN
Altai Super
Altai Super
WiFi
WiFi
Authentication
Encryption
Intranet
Staff
Active Directory
WPA/WPA2
Internet
Guest
Captive Portal
WPA-PSK
15
VLAN Network
Altai Super
Altai Super
WiFi
WiFi
SSID
VLAN_Ingress
Client IP
Address
VLAN_Egress
Colubris
Interface IP address
Intranet
192.168.0.x
10
10.6.11.2
Internet
192.168.0.x
20
10.6.12.2
16
Network configuration_ingress
Altai Super
Altai Super
WiFi
vlan
WiFi
17
Network configuration_egress
Altai Super
Altai Super
WiFi
vlan
WiFi
18
Network ports
Altai Super
Altai Super
WiFi
WiFi
19
DHCP server_1
Altai Super
Altai Super
WiFi
WiFi
20
DHCP server _2
Altai Super
Altai Super
WiFi
WiFi
21
DNS
Altai Super
Altai Super
WiFi
WiFi
22
Check IP routers
Altai Super
Altai Super
WiFi
WiFi
23
Join Active Directory
Altai Super
Altai Super
WiFi
WiFi
24
AD group configuration
Altai Super
Altai Super
WiFi
WiFi
25
Add RADIUS secret
Altai Super
Altai Super
WiFi
WiFi
26
Account Profiles_1
Altai Super
Altai Super
WiFi
WiFi
27
Account Profile_2
Altai Super
Altai Super
WiFi
WiFi
28
User account_1
Altai Super
Altai Super
WiFi
WiFi
29
User account _2
Altai Super
Altai Super
WiFi
WiFi
30
Access List
Altai Super
Altai Super
WiFi
WiFi
31
VSC AD authenticaton_1
Altai Super
Altai Super
WiFi
WiFi
32
VSC AD Authentication_2
Altai Super
Altai Super
WiFi
WiFi
33
VSC AD Authentication_3
Altai Super
Altai Super
WiFi
WiFi
34
Altai Super
VSC HTML Authentication_1
Altai Super
WiFi
WiFi
35
Altai Super
VSC HTML Authentication_2
Altai Super
WiFi
WiFi
36

Solution_II
Intranet for staff

Ingress VLAN 1
Egress VLAN 10
Client IP subnet
192.168.1.x
AD or RADIUS
Authentication
Allowed access intranet
and internet
Altai Super
Altai Super
WiFi
WiFi
Internet for guest

Ingress VLAN 2
Egress VLAN 10
Client IP subnet
192.168.2.x
SC Local account
HTML-Authentication
37
Altai Super
Layer 3 Network Solution_II
Altai Super
WiFi
WiFi
DHCP
server
Intranet
Firewall
Radius Server
Router
VLAN 10 & 30
Active Directory
VLAN 20 & 40
Service Controller
Ingress: VLAN 1 & 2
VLAN Switch
Network: VLAN 10,20
Multiple Layer3 tunnel
SC Port: VLAN 1, 2, 10, 20

AP Port: VLAN 1,2,
Altai AP
Trunk Port
Trunk Port
Trunk Port
VLAN 1
Trunk Port
Altai AP
VLAN 2
VLAN 1
VLAN 2
SSID_Intranet
SSID_Internet
SSID_Intranet
SSID_Internet
192.168.1.x
192.168.2.x
192.168.1.x
192.168.2.x
VLAN 1
VLAN 2
VLAN 1
VLAN 2
38
Layer 3 Solution II
Authentication Procedure
User
User associate with
wireless network
AP
Service Controller
AD Server
Altai Super
Altai Super
WiFi
WiFi
DHCP server
EAPOL start

Service Controller
EAP request
EAP response
EAP success
DHCP request
Multiple Layer3 Tunnel
Over AD
EAP request over AD
EAP success over AD
Building 1 for example

39
Case Study: Operator Network

Altai Super
Altai Super
WiFi
WiFi
Deployment Solution
Tunneling
Router
Standard DSL
Modem/Router
Tunneling
Router
Metro
Ethern
et
Networ or MPLS VPN)
IP Service with PPPoE (Internet
Tunnel betweenkAP and Controller?
Eth
Eth
DSLAM
ADSL
TUNNEL
BAS
AAA
Internet
IP
Backbo
ne
Controller
GE
Wireless
Backhaul
WiFi
AP (Switch Mode)
Mltiple Access Point 40
Altai A3 ACS Solution
Altai Super
Altai Super
WiFi
WiFi
Deployment scenario: Hotzone whole network solution could be in one

box.
RADIUS or MAC in the existing network is authentication server, do not
need to integrate with Active Director server
Can use 3G as backhaul
Roaming across A3s is not supported
Local database is supported
Multiple SSID for different groups of client to access, like staff and guest
Each group of client is only allowed to access specific network subnets
Different authentication method can be applied to different SSID
41
Altai Super
ACS Network Design Solution
Altai Super
WiFi
WiFi
Intranet for staff

Intranet ACS Profile
Client IP subnet
192.168.0.x
RADIUS authentication
HTML-authentication
Allowed access intranet
and internet
Internet for guest

Internet ACS Profile
Client IP subnet
192.168.0.x
MAC authentication
Allowed access internet
only
42
Altai Super
Altai A3 Access Control System
Altai Super
WiFi
WiFi
Web Server
DHCP
server
Firewall
Router
Radius Server
Switch
A3_Gateway Mode
ACS Profile
SSID_Intranet
Intranet ACS Profile
SSID_Internet
Internet ACS Profile
43
Altai Super
ACS User Login Procedure Altai
Super
WiFi
WiFi
44
Case Study: Hotspot Operator

Altai Super
Altai Super
WiFi
ACS Profile Configuration WiFi
Radius Server
3G network
3G backhaul
Web Server
A3_Gateway Mode
10.6.127.200
DHCP server:192.168.0.1
Hotspot Operator Noc
SSID_HTMLAuth
SSID_MACAuthrnet
45
Hotspot Operator Network Altai Super

Altai Super
WiFi
Illustration
WiFi
3G dongle as network backhaul

A3 build-in DHCP server enabled
Remote RADIUS server is for internal clients
authentication and accounting
Remote Web server is for RADIUS server authentication.
Access controlled list establish to define network access
difference for multiple kinds of clients
Local account is for MAC authentication to clients who
could only access internet
46
ACS Profile
Altai Super
Altai Super
WiFi
WiFi
47
Local Account
Altai Super
Altai Super
WiFi
WiFi
48
RADIUS Server
Altai Super
Altai Super
WiFi
WiFi
49
Access Rules 1
Altai Super
Altai Super
WiFi
WiFi
50
Access Rules 2
Altai Super
Altai Super
WiFi
WiFi
51
Access Rules Profile
Altai Super
Altai Super
WiFi
WiFi
52
HTMLAuth Profile
Altai Super
Altai Super
WiFi
WiFi
53
MACAuth Profile
Altai Super
Altai Super
WiFi
WiFi
54
Export ACS profile
Altai Super
Altai Super
WiFi
WiFi
55
Altai Super
Altai Super
WiFi
WiFi
Thank You
56

Backend Network Planning

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Backend Network Planning

Enviado por

Direitos autorais:

Formatos disponíveis

Altai Super

Not for Distribution Altai Confidential

Service Controller Solution

Not for Distribution Altai Confidential

RADIUS or Active Directory in the existing

Layer 2 Network Deployment

Layer 2 Network Design

Intranet for staff

Internet for guest

Egress: VLAN 10 & 20

Network: VLAN 10,20

Ingress: VLAN 1 & 2

SC Port: VLAN 1, 2, 10, 20, 100

Layer 2 Active Directory

Redirect the request to

EAP request over AD

EAP success over AD

Layer 2 HTML authentication

Send DHCP request

Redirect the request

Response DHCP request

Redirect the request to

User login info is

Transport page sends

Layer 3 Network Deployment

Layer 3 Network Design

Network: VLAN 10,20

Network: VLAN 30,40

SC Port: VLAN 1, 2, 10, 20

SC Port: VLAN 3, 4, 30, 40

AP Port: VLAN 1,2

AP Port: VLAN 3,4

Layer 3 Solution I Authentication

Redirect the request to

EAP request over AD

EAP success over AD

Building 1 for example

Network: VLAN 10,20

Ingress: VLAN 1 & 2

SC Port: VLAN 1, 2, 10, 20

AP Port: VLAN 1,2

Join Active Directory

Add RADIUS secret

Layer 3 Network Design

Intranet for staff

Internet for guest

Multiple Layer3 tunnel

SC Port: VLAN 1, 2, 10, 20

Redirect the request to

Multiple Layer3 Tunnel

Building 1 for example

Case Study: Operator Network

Altai A3 ACS Solution

Deployment scenario: Hotzone whole network solution could be in one

Intranet for staff

Internet for guest

Case Study: Hotspot Operator

Hotspot Operator Noc

Hotspot Operator Network Altai Super

3G dongle as network backhaul

Access Rules Profile

Export ACS profile